COW-IMM: A Novel Integrity Measurement Method Based on Copy-on-Write for File in Virtual Machine

The integrity measurement method is used to detect whether the files are tampered with and to build a trusted environment. It can improve the security of virtual machines using base and increment image. Currently, the traditional integrity measurement methods (MDA-IMM) are based on the message digest algorithm with high computational complexity and heavy data. As a result, the MDA-IMM consumes a lot of I/O resources and spends too much time. To address those issues, we propose a novel method (COW-IMM) based on copy-on-write for the files in base image, the precondition is that, there is one-to-one correspondence between the cluster of image and the logic block of file system, and both of them have the same size. The COW-IMM gets the information of files for integrity measurement from base image and measures the integrity of files in increment image. We implement a prototype based on KVM, Qcow2 image, and Ext4. The algorithm analysis shows that, the volume of data used by COW-IMM is 512 times smaller than that used by MDA-IMM at least, if the file size is the same. The experimental evaluations show that, the speed of COW-IMM is faster and faster than that of MDA-IMM with the increment of file size. For example, when the file size is 0.1M, the speed of COW-IMM is about 10 times faster than that of MDA-IMM; when the file size is 90M, the speed of COW-IMM is about 592 times faster than that of MDA-IMM.

[1]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[2]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[3]  Avantika Mathur,et al.  Ext4: The Next Generation of the Ext3 File System , 2007, login Usenix Mag..

[4]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[5]  Zhiyong Liu,et al.  Libvmi: A Library for Bridging the Semantic Gap between Guest OS and VMM , 2012, 2012 IEEE 12th International Conference on Computer and Information Technology.

[6]  Jon Watson,et al.  VirtualBox: bits and bytes masquerading as machines , 2008 .

[7]  Frederic Stumpf,et al.  Secure and Privacy-Aware Multiplexing of Hardware-Protected TPM Integrity Measurements among Virtual Machines , 2012, ICISC.

[8]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[9]  Lin Ji IVirt:Runtime Environment Integrity Measurement Mechanism Based on Virtual Machine Introspection , 2015 .

[10]  Josef Bacik,et al.  BTRFS: The Linux B-Tree Filesystem , 2013, TOS.

[11]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[12]  Hai Jin,et al.  A guest-transparent file integrity monitoring method in virtualization environment , 2010, Comput. Math. Appl..

[13]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[14]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[15]  Andrea C. Arpaci-Dusseau,et al.  Antfarm: Tracking Processes in a Virtual Machine Environment , 2006, USENIX Annual Technical Conference, General Track.

[16]  Jonathon T. Giffin,et al.  2011 IEEE Symposium on Security and Privacy Virtuoso: Narrowing the Semantic Gap in Virtual Machine Introspection , 2022 .

[17]  Tal Garfinkel,et al.  Virtual machine monitors: current technology and future trends , 2005, Computer.

[18]  Minglu Li,et al.  An In-VM Measuring Framework for Increasing Virtual Machine Security in Clouds , 2010, IEEE Security & Privacy.

[19]  Angelos Stavrou,et al.  HyperCheck: A Hardware-AssistedIntegrity Monitor , 2014, IEEE Trans. Dependable Secur. Comput..

[20]  Yangchun Fu,et al.  Space Traveling across VM: Automatically Bridging the Semantic Gap in Virtual Machine Introspection via Online Kernel Data Redirection , 2012, 2012 IEEE Symposium on Security and Privacy.

[21]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.